Simple Login Brute Force / Current Password Requirement Bypass

In this blog post , I’ll be giving you a scenario that you can add up your bug bounty checklist.

While hunting down a private website I came across many IDORs, XSS and CSRFs which were pretty straight forward . There was however one instance that was slight different that I found for the first time .

The application had a username/ email update mechanism . To update either of the entities, it was required to enter the current password to prevent unauthorized changes . Following is the POST request :

Note that the old username was a hidden parameter that was not in the visible form.

On some tampering I found that giving a valid combination of the parameter “old_username” and “password” (Any valid credentials eg. Attacker’s credentials) It was possible to change the username to any username by the attacker without entering the current password .

Thus this bypasses the current password requirement . The back-end system was only checking for valid credentials , irrespective of who is logged in .

In simple words a person having temporary access to your account can update your email and takeover your account without having knowledge of your current password .

And what about the login brute force bypass ?

Easy , Since only the credential pair are being verified at the back-end, irrespective of who is logged into . Pass the victim username or Email in the “old_username” or “old email” field and brute force the “password” field .

On successful bruteforce , you will receive the response that the username/email is updated (That is the attackers email/username is updated). That request has the valid credentials (of the victim) .

ie, You are brute forcing the victim’s account from the attacker’s account .